WebInspect - multiple layers of Site authentication
Im having some trouble with multiple layers of site authentication and wanted to know if anyone may have a solution for this issue.
I am utilizing the WI Macro for the initial splash page login which I am able to do succesfully. However there is another mini application that is accessbile through the application that automatically launches in a new tab in the browser and requires additional authentication. In the Macro, the new tab launches but never loads and I am unable to authenticated at the second level .
I am able to authenticate to both levels within my browser outside of webinspect, but not through the Macro. Has anyone had success trying to go through multilple levels of authentication?
Re: WebInspect - multiple layers of Site authentication
However, if the second authentication case is not always encountered or performed when the first one is processed, you may not be able to get by with a (single) Login Macro. There is no way to configure two separate Login Macros for a WebInspect scan, so you may need to mark that second authentication process as part of an Interactive Mode scan. This would be the same as configuring for a manual CAPTCHA or RSA ID Token field.
(1) Open the Web Forms Editor tool, and Add a unique field or marker that would be found in a HTTP Response when the second login process is required, e.g. "please log into our secondary process". Right-click and mark that field as Interactive. It does not need to be the input field specifically, just something that will trigger the pop-up in WebInspect when your input is required.
(2) In your scan settings, Method panel, specify your saved Web Forms input file in the field for "Auto fill web forms..."
(3) Also on the Method scan settings panel, enable both boxes for "Prompt for web forms values..." and also "Only prompt for tagged inputs".
(4) Start your scan with these settings and Input File.
** Your scan will now be automated until it strikes that field you marked as Interactive. The WebInspect scan thread will Pause and pop a browser window asking you for your humaninput (the secondary authentication), and it will Resume once completed. the other Requestor threads will continue unabated as they carry their own session state individually (if a default Crawl&Audit, 15 total threads by default)
-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify